For file sets produced by multiple file captures, match both
the number before time and the newer time before number format.
Distinguish them in the return value, since files of different
formats are not part of the same set.
Also handle files with a compression suffix as well, as we can
produce that in captures. Since in multi file captures compression
is done when switching files, allow file sets to have a mixture of files
compressed and uncompressed. When doing a multi file capture and
compressing, the last file is not compressed.
Add information to the user guide and release notes
Related to #12371
tvb_get_raw_bytes_as_string doesn't check lengths, because it's
used elsewhere when the length is unknown. If we use
tvb_get_string_enc, that checks the offsets and throws an
exception as appropriate, but then we have to use g_utf8_strreverse
due to the possibility of UTF-8 REPLACEMENT CHARACTERs.
To handle embedded nulls properly, we need to be using counted
strings (like wmem_strbuf_t) in more places.
Fix#19621
Stat tap windows can be opened by the GUI (e.g., a
ServiceResponseTimeDialog) when no file is open, and persist
past a file being closed, i.e. outside of wmem_file_scope().
Items concerning the taps should not be created in wmem_file_scope().
This fails an assert, which crashes when built for a Debug target.
To use wmem, we would need to create a scope appropriate for the lifetime
of the ServiceReponseTimeDialog or other Tap dialog (or else add a
callback mechanism to srt table to free items created in epan scope.)
Partially revert 47b310da47
(the part where the stat taps are concerned.)
Related to #19620
Queried DNS names can be enabled for DNS staticstics with a preference.
Due to performance reason this is disabled by default.
Kind of related to #16728 and #16173
When trying to check if syntax in a filter that starts with
"${" is a macro or a field reference, use strpbrk to find the
first of '#' (layer) or '}' (closing the macro or field reference
expression.) Using strchr twice in a row causes incorrect behavior
in a long filter that has a '#' located later past the '}',
referring to a layer of a different field.
Also test for ';' and ':' and return if the string has those before
the other two characters.
Those two characters are illegal in fields but indicate that it is
a macro, as they separate macros from their arguments. Skip the other
processing as unnecessary.
Expand `tshark -G dissector-tables` to also list heuristic dissector
tables. Parallels the output for standard dissector tables with the
following changes:
* Field 3 (ftenum type) is shown as "heuristic"
* Field 4 (base) is omitted, as it always was for non-integer dissector
tables
* Field 6 (decode as) is omitted, since heuristic tables can't be used
with "decode as"
Update the tshark man page to reflect this change. Also clarify that the
first field output from `-G heuristic-decodes` is the heuristic table
name.
Implementation detail: heuristic dissector tables are listed after all
other dissector tables, since they are stored in a separate structure
from the other tables. This results in simpler code than attempting to
commingle the entries for both types in strict alphabetical order.
Add descriptive table name
When calling openCaptureFile() after importing a hexdump,
call it with the is_tempfile parameter set to true, as done
after a merge. That means that the imported file (which is
already written to a temporary directory) is treated like
other temporary capture files and:
* Is deleted if closed without saving
* Is marked as having changes
* Pops up a warning if closed without saving
* Doesn't have its temporary filename shown
* Isn't added to the recent capture file list
When openCaptureFile() is called with is_tempfile set to true,
don't call setLastOpenDirFromFilename. Just like with a new
live capture, temporary files from any source shouldn't change
what directory opens in the file chooser.
Also don't call setLastOpenDir from the separate mergeCaptureFile()
function that handles the merge dialog of two files (unlike the
drag and drop merge) for the same reason.
*Do* call setLastOpenDirFromFilename with the filename of the
hexdump chosen in ImportTextDialog; that's the directory the
user last opened a file from.
Fix#15559
This patch changes the display order of the IEEE802154 address fields
only for the IEEE802154 tree root. The order of the address fields
for the other trees is not changed. The order is now source address
first. This is not the same as the order in the frame, where the
destination address is first. However, reading it from left to right
makes more sense when the source address is first.
This commit implemements PLDM dissector
for the Platform specification of the protocol
which is done following DMTF guideline
documentation -
https://www.dmtf.org/sites/default/files/standards/documents/DSP0248_1.2.0.pdf
Testing : For verification of dissector
pcap file collected during host poweron
is used as well as used custom pcaps.
Signed-off-by: Riya Dixit <riyadixitagra@gmail.com>
Commit 9c75c1dc18 introduced
a new eventFilter function for FilterExpressionToolBar but
called the wrong base class function in it, removing the
drag and drop buttons.
Fix#19447
Use `set -e` and remove a bunch of no-longer-needed `|| exit 1`s. Make
sure we pass `--fail-with-body` to curl, and that we have a version of
curl that supports that option. Fix other issues that `set -e` turned
up.
[skip ci]
There's a number of variables that are lengths that should probably
be unsigned, but at least make sure negative values don't get assigned
to the chunk size, which can lead to an infinite loop. (It's read from
the packet as an unsigned 32 bit integer, but it should never in
practice have a value in the top half of that range.)
Fix#19617
Saving only the dfilter text and recompiling the code when
[re]dissecting or scanning groups of packets operates on the
explicit assumption that previously validated filter text will
always compile to valid filter code
That assumption is not true; while we invalidate the filter and
replace the text with NULL if display filter macros change or
other aspects of the packet matching expressions change so that
the previous text is no longer valid, display filters that match
FT_IPv4 or FT_IPv6 fields to resolved hostnames require a host
name lookup each time they are compiled, which can timeout, especially
if there are too many requests in flight at once. This is particularly
likely if a recompilation is performed each time additional frames
arrive during a live capture.
It is important to stress that the stronger, implicit assumption that
the display filter will compile to the same code is also false.
1) Display filters that require host name lookup can change even if
it doesn't timeout.
2) Display filter macros can change.
3) Display filters with field references will change if the selected
frame has changed.
In the case of a rescan, redissection, reload, retap, or opening a
new file, we want the new dfcode. For cf_continue_tail and
cf_finish_tail, when a new batch of frames have arrived, we might
be able to cache the host lookup for 1), and a user might want the
new macro definitions in 2) (but in that case, why not a rescan of
all packets?), but almost surely for 3) wants the field references
of the frame selected in the GUI when the filter was applied, not
whatever frame is currently selected when new packets arrive. So
we keep the old dfcode, and also reduce recompilation (which becomes
more important as the default update interval can be reduced, cf.
f0712606a3 ).
Currently filters with field references don't work at all with
newly arrived frames in live captures, because the references
aren't loaded to the code. This fixes that by using the field
references from the original frame.
Cf. 1370d2f738Fix#19612. Fix#12517.
On Windows, the path separator can be either G_DIR_SEPARATOR
or '/' (G_DIR_SEPARATOR_S).
Just use g_path_get_basename and g_path_get_dirname rather
than reinventing them, or worrying about which directory
separator we've passed to the function.
Fix#14614
hex_str_to_bytes currently allows an odd number of hex characters
after a separator (including no separator). It parses them in an
entirely unexpected way; taking two characters at a time to form
one byte and then using the last leftover character by itself,
thus adding a missing lead zero to the last hex character instead
of the first.
E.g., 3.109.209.43 is parsed as 0x03 0x10 0x09 0x20 0x09 0x43
Since this interpretation has never been correct, just disallow any
odd number of hex characters 3 or greater. Continue to support a
single hex character after a separator (or by itself.)
It's still probably too accepting, as it allows the separator to
change back and forth, including back and forth from no separator
when force_separators is false (thus allowing the number of hex
digits between separators to vary.)
Fix#19449. Fix#19604.
If a null argument is given to a macro, print an error saying that
is disallowed instead of substituting the null argument (i.e., an
unquoted empty string) into the macro.
The latter almost certainly still produces a grammatical error, but it
will be something mysterious that depends on the macro definition like
"==" was unexpected in this context
instead of a useful error string.
For macros that take strings as argument, substituting a null has
never worked either, "" has always needed to be used.
As a special case, accept a single empty argument as meaning
"a macro with 0 arguments" instead of how it is currently treated,
a "macro with 1 null argument", i.e. $mymacro() for the new
function-like syntax and ${mymacro:} for the original syntax.
See 7d87367e22
Instead of requiring ${macro:arg1;...;argN}, allow the format
${macro;arg1;...;argN}.
The semicolon isn't used anywhere else, it's simple to support,
and already used in the macro syntax. It's easier to remember
if all the separators in a macro are the same.
The colon is allowed in literals, which is why it's not used
between the arguments in the macro argument list, and allowing
it after the name makes the grammar more complicated, including
tokenizing when having pop-ups of potential field matches in
the display filter line edit (#19499.)
Update the documentation for this. Also edit the documentation
for macro syntax in a few places where it implies that whitespace
in macro arguments would be ignored; in fact, it's significant.
John Thacker